summaryrefslogtreecommitdiffstats
path: root/wiki/src/contribute/design/I2P.mdwn
blob: 3f7473e36435f4727937b4e42c78115ddea22b4c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
[[!toc levels=2]]

Rationale
=========

I2P is yet another anonymizing network (load-balanced unspoofable
packet switching network) that provides access to eepsites (`.i2p` TLD);
eepsites are a bit like Tor hidden services. Some users would like to
be able to access eepsites from Tails.

Versions
========

[I2P](https:/geti2p.net) has been included since Tails v0.7 with the web browser
preconfigured using FoxyProxy so that eepsites (`.i2p` TLD) are directed to
I2P. All other traffic gets routed through Tor.

Starting with Tails 1.1.1, I2P is not enabled by default when Tails starts.
In order to use I2P, a user must add the <span class="command">i2p</span> boot option
to the <span class="application">boot menu</span>.

<a id="design"></a>

Design
======

I2P has seen increased growth over the last few years with around 30,000 active
peers routing traffic but it is still not as well known as Tor. I2P is not
started automatically. Some reasons behind this decision include:


1. increased usage of the system CPU (lots of computationally heavy
   crypto is needed for relaying traffic) and RAM (Java based)

2. the possible raised suspicion from adversaries by being associated
   with yet another anonymity network (especially severe if one uses
   Tor bridges)

3. some level of system compromise through 0-day exploits in the I2P
   client

Users that want to use I2P must start it manually from the `Applications` menu.
In the future one may be able to start I2P during boot (see the [[!tails_todo
boot_menu]] TODO page).

Implementation
==============

The I2P project hosts an [APT repository](http://deb.i2p2.no) from which users can
easily install I2P. It installs the application to `/usr/share/i2p`. Upon the
first start template files are copied, with changes, to the data directory at
`/var/lib/i2p/i2p-config/`.  This separation is essential and was not possible
some years ago. This package includes an initscript which is configured by
default to start the I2P client as the `i2psvc` user.

The above package is installed but its init script is not automatically run
during boot. Instead, an I2P shortcut has been added to the applications
menu which the user can use to start the I2P init script manually. A
side-effect of installing the actual I2P program into /usr is that
automatic updates are disabled by the program since the installation
directory is not writable by the `i2psvc` user.

For better performance an exception has been made in the [[firewall
configuration|Tor_enforcement/Network_filter]] that grants direct access to the
network for the I2P user running the client so it can reach the I2P
network directly, both through TCP and UDP.

The I2P router is configured to run in hidden mode: killing I2P
ungracefully is bad for the I2P network, and this is most likely
a prevalent behaviour among Tails users. For I2P to shutdown
gracefully, it needs up to 11 minutes to let all its current
participatory tunnels to expire. Killing I2P before that makes peers
using these participatory tunnels experience timeouts and disconnects,
which most definitely is bad for the network. Since Tails users are
likely to shutdown Tails quickly without waiting these 11 minutes,
this is a good reason to enable hidden mode, that is to disable
participating in I2P traffic:
[[!tails_gitweb config/chroot_local-hooks/16-i2p_config]].

[[!tails_todo iceweasel_addon_-_FoxyProxy desc="FoxyProxy"]] has been installed
system-wide, and the default web browser profile provides with a
configuration handling the I2P integration. FoxyProxy's whitelist
filter is used to make sure that the corresponding urls will be
proxied appropriately.

Below are the patterns that each url handled by the web browser will be
matched against. These patterns will be tried in order, from top to
bottom, until the first match is found:

1. The I2P router console: urls matching the `http://127.0.0.1:7657/*` wildcard
   pattern will get a direct connection to the local host so the I2P
   router console can be reached.

2. The local *eepsite*: urls matching the `http://127.0.0.1:7658/*` wildcard
   pattern will get a direct connection to the local host so the locally
   hosted eepsite can be reached.

3. I2P eepsites: urls matching the
   `^https?://[-a-zA-Z0-9.]+\.i2p(:[0-9]{1,5})?(/.*)?$` regexp will be
   proxied through the local eepsite HTTP proxy run by the I2P client.
   Implementation note: FoxyProxy encloses the regexps between `^` and
   `$` itself since `isMultiLine="false"`, that's why the regexp in
   `foxyproxy.xml` lacks these chars.

4. Tor HTTP(s): urls matching one of the `https://*` and `http://*`
   wildcard patterns will be proxied through polipo (and then its
   parent proxy, Tor).

5. The rest: all remaining urls will be SOCKS5-proxied through Tor.

Also, do note that Tails' [[netfilter-based
blocking|Tor_enforcement/Network_filter]] ensures that no Internet
traffic can be escape both Tor or I2P (and thus be non-anonymous) even
if something is wrong in the above filters (or a future revision).

Disabling / Enabling I2P
========================

During the build process, [[!tails_gitweb config/chroot_local-hooks/97-remove_i2p]]
moves I2P from its normal location at `/usr/share/i2p` to
`/usr/share/tails/i2p-disabled`. The script [[!tails_gitweb config/chroot_local-includes/lib/live/config/2080-install-i2p]] checks for the
string `i2p` in the kernel command line. If it is found, everything moved by
[[!tails_gitweb config/chroot-local_hooks/97-remove_i2p]] is undone, making I2P available in the system.


Ports allowed through the firewall
==================================

Services on I2P are accessed through tunnels built by I2P. Services that a user
hosts, such as an *eepsite* or *IRC Server* are accessed remotely via **Server Tunnels**.
End users will access services using **client tunnels**. I2P is shipped with a
few tunnels preconfigured and the ports that they use have exceptions added to
ferm. These ports include:

* 4444, I2P HTTP Proxy: Used to access sites with the `.i2p` TLD
* 4445, HTTPS Outproxy tunnel: Disabled in by default in Tails in
  [I2PTunnel](http://127.0.0.1:7657/i2ptunnel) since all HTTPS traffic in Tails
  gets routed through Tor.
* 6668, Tunnel to Irc2P: Used to connect to the main I2P-only IRC network
* 7656, [SAM](https://geti2p.net/sam): SAM is an application bridge allowing
  non-Java clients to use I2P.  More information:
  [SAMv1](https://geti2p.net/samv1), [SAMv2](https://geti2p.net/samv2),
* 7657, I2P router console: The router console is accessible in the web browser at <http://127.0.0.1:7657>
* 7658, local 'eepsite': Each I2P installation is configured out of the box
  with the possibility to host one's own website (or *eepsite*) on the I2P
  network. The eepsite will not be acessible remotely unless its
  [tunnel](http://127.0.0.1:7657/i2ptunnel#localServerTunnelList) is started.
* 7659, SMTP Proxy: Tunnel to `smtp.postman.i2p`. More information is available from within I2P at [Postman's HQ](http://hq.postman.i2p/?page_id=10)
* 7660, POP3 Proxy: Tunnel to `pop3.postman.i2p`. More information is available from within I2P at [Postman's HQ](http://hq.postman.i2p/?page_id=11)
* 8998, MTN Proxy: Tunnel to `mtn.i2p2.i2p`, a [Monotone](http://monotone.ca) server.

Note: These ports will only be opened if the user explicitly requests I2P at the boot prompt.
See [[!tails_gitweb config/chroot_local-includes/etc/ferm/ferm.conf]] for details.

Features that require an administration password
================================================

The `amnesia` user does not have access to `/var/lib/i2p`. In practice this
will not be an issue unless one wants to

* host content on an `eepsite`
* use the integrated I2P-only bittorrent client,
  [I2PSnark](http://127.0.0.1:7657/i2psnark)

In order to utilize these features users need to set an
[[doc/first_steps/startup_options/administration_password]].

Changes from upstream
=====================

* i2cp, allowing java clients to communicate with I2P from outside of the JVM, is disabled
* IPv6 is disabled
* HiddenMode is set for all users
* Updating I2P from within the I2P network is disabled; updates are done using the .debs
* Inbound connections are disabled
* I2P plugins are disabled
* The webapp `susimail` will leave mail on the server

Package source and upgrading I2P
================================

Tails uses the I2P (and deps)
[Debian packages prepared by KillYourTV](http://deb.i2p2.no/), the official I2P
Linux package maintainer as listed on the [I2P Team page](https://geti2p.net/team).
The I2P source package and its binaries are imported into to our own
[[APT repository|APT_repository]] into the devel or stable suite. The suite
will depend on whether a major- or point-release is being prepared.

## Prepare a Git topic branch

Create a Git branch, forked off the branch into which the new packages
shall eventually be imported into, and called e.g.
`feature/i2p-0.n.m`. Push this branch.

## Check the binary packages

### Content

    dpkg-deb --contents i2p-router_*.deb | awk '{print $6}' | \
       grep -v -E '^\./($|usr/(share/doc/i2p-router/|share/i2p/|share/$|share/doc/$|bin/eepget|bin/i2prouter-nowrapper|share/man/man1/eepget\.1\.gz$|share/man/$|share/man/man1/$|bin/$|$))'

    dpkg-deb --contents i2p_*.deb | awk '{print $6}' | \
       grep -v -E '^\./($|etc/$|etc/i2p/|etc/init\.d/i2p$|etc/init\.d/$|usr/$|usr/share/$|usr/share/man/$|usr/share/man/man1/$|usr/share/man/man1/i2prouter\.1\.gz$|usr/share/doc/$|usr/share/doc/i2p$|usr/bin/$|usr/bin/i2prouter$)'

    dpkg-deb --contents libjbigi-jni_*.deb | awk '{print $6}' | \
       grep -v -E '^\./($|usr/$|usr/lib/$|usr/lib/jni/|usr/share/$|usr/share/doc/$|usr/share/doc/libjbigi-jni$)'

### Maintainer scripts

Have a look at `*.{pre,post}{inst,rm}` and `*.configure` maintainer
scripts in each binary package.

## Import the packages

1. scp the source and binary packages to incoming.deb.tails.boum.org
1. move the uploaded files somewhere, and set permissions on it, so
   that the `reprepro` user can read it
1. use `reprepro includedsc` to import the source package(s) into the
   APT suite dedicated to the Git topic branch create above (e.g.
   `feature-i2p-0.n.m`)
1. use `reprepro includedeb` to import the binary package(s) into the
   same dedicated APT suite
1. build an ISO from the Git branch created above
1. test this ISO
1. merge the Git branch and APT suite as appropriate

Things to meditate upon
=======================

* Pattern 4 will catch ftp://.* and redirect them to Tor through
  SOCKS5. This effectively breaks FTP completely, so there's room for
  adding a pattern above number 4 which matches ftp connections
  (i.e. `^ftp://.*`) and proxies them through some ftp proxy using Tor
  as its parent proxy. See [[!tails_todo FTP_in_Iceweasel desc="FTP in Tor Browser"]]. As an addition,
  at the moment (versions <=0.8) ftp does not work in I2P for
  technical reasons, so no pattern for that is needed.

* Do we want to enable the "Hidden mode" which completely disables
  participating traffic?

 - Pros:

  - the IP address will not be published in I2P's distributed NetDB so
    any adversary trying to enumerate all I2P users can only find the
    user if he or she happens to use the adversary as an entry to the I2P
    network. Hence the reason not to enable I2P per default due to
    increased suspicion (3) is somewhat alleviated.

  - there will be no additional network traffic used for relaying
    other I2P peers traffic, so the network traffic reason (1) for not
    starting I2P per default is essentially completely eliminated, and
    the CPU/RAM reason (2) is made considerably less severe.

 - Cons:

  - there's no "cover-traffic", which may decrease the anonymity
    somewhat.

* Are the patterns used above correct for their intended purposes?
  Does the FoxyProxy setup in any way open up for attacks? See
  [[!tails_todo iceweasel_addon_-_FoxyProxy desc="FoxyProxy"]].